Irrespective of WHAT you may hear form others about the obligation for a
commercial service provider to comply with the requirements in an Business
Associates Agreement, if you are storing PHI, as a client of a provider,
you would be COMPLETELY FOOLISH NOT TO require one. If a provider is
unwilling to accept the terms, then seek another provider.
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
"The HIPAA Rules generally require that covered entities and business
associates enter into contracts with their business associates to ensure
that the business associates will appropriately safeguard protected health
information. The business associate contract also serves to clarify and
limit, as appropriate, the permissible uses and disclosures of protected
health information by the business associate, based on the relationship
between the parties and the activities or services being performed by the
business associate."
Here's the deal- you (as a record owner/custodian) have the liability if
the information is accidentally exposed
- if you have transferred custodial responsibility for the records to a 3rd
party and have a contractual agreement with them to provide care and
custody, then that responsibility shift to them. If you DO NOT have a
"Business Associates Agreement" in place, you continue to bear the
responsibility for their actions.
Think of it like this... you are moving across country, you hire a
warehouse and transportation firm to move your household goods. While
living at home, your property is protected by homeowners insurance, but
that doesn't cover your property while in storage or transit. The firm has
a fire, or the truck get broken into or crashes and burns. Who should be
responsible for replacing your property? Certainly not you... you had a
contract for someone else to protect it while they were in custody of it.
What Jim speaks of regarding UCC is an often argued about clause between a
storage provider and a client in the case of a total loss (fire) or even
the odd case where records are lost while in transit or in storage. The
typical limit you see in a contract is somewhere in the area of "$1 per
cubic foot, up to a maximum of XYZ in a loss" and while that Warehouseman's
language is fine if they are storing common commodities, that won't even
cover the cost of replacing a BOX in the case of business records. It's up
to the client storing records to determine what they feel the value of
their records is and to evaluate the facility they are considering to
determine the risks. How deep you want to go to do that is ALSO up to you,
but there are tools available to help you, and you may want to include
having your insurance broker or someone get involved in the determination
of the level of risk you'd be exposed to.
And yes, others may tell you, so I'll say it... I was the Chair of the ARMA
Standards Development Committee when there was such a thing and the Project
Manager for the "Guideline for Evaluating Offsite Storage Facilities" and I
am also a Principal Member of the NFPA 232 "Standard for the Protection of
Records" Committee.
Larry
[log in to unmask]
On Fri, Mar 29, 2013 at 12:42 PM, Zimmerlin, James S. <
[log in to unmask]> wrote:
> Good Afternoon,
>
> I have been working on gathering some information on limitation of
> liability for records storage/destruction services and was hoping to get
> some feedback from a few fellow records and information professionals. I am
> interested in finding out what others have negotiated, as far as the cap,
> to develop a baseline for what is considered reasonable, particularly those
> dealing with PII or PHI.
>
> If you have had any experience, I would love your insight.
>
> Have a great weekend!
>
> James S. Zimmerlin, CA
> E-mail: [log in to unmask]<mailto:
> [log in to unmask]>
>
>
> "securemail.caresource.com" made the following annotations.
>
> ------------------------------------------------------------------------------
> Confidentiality Statement: This electronic mail transmission and any
> attached document(s) may contain information from CareSource that is
> confidential. This information is intended only for the individual(s) named
> on this electronic mail. If you are not an intended recipient, you are
> hereby notified that any disclosure, copying, distribution, or the taking
> of any action in reliance on the contents of this electronic mail is
> strictly prohibited. If you have received this electronic mail transmission
> in error, please notify us so that we can arrange that the electronic mail
> transmission be directed to the correct recipient(s). Please destroy all
> copies that were sent to you in error. Any views or opinions expressed are
> solely those of the author and do not necessarily represent those of
> CareSource Management Group Company and its affiliated entities. Thank you.
>
> ==============================================================================
>
> List archives at http://lists.ufl.edu/archives/recmgmt-l.html
> Contact [log in to unmask] for assistance
> To unsubscribe from this list, click the below link. If not already
> present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the
> message.
> mailto:[log in to unmask]
>
--
*Lawrence J. Medina
Danville, CA
RIM Professional since 1972*
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]
|
